hurricanemaxi Mon 07 Nov 2011, 5:33 pmWorm is exploiting zero-day exploit in the TrueType Windows component
The Duqu [dyü-kyü] worm, containing parts of the Stuxnet code, is a sophisticated piece of malware that's wreaking havoc on Windows machines worldwide. The authors appear to be specially targeting business and governmental entities in what may be a cyberespionage or cybersabotage attempt.
A Fix for Duqu:
Symantec warns:
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.
The malware piggybacks inside seemingly legitimate documents from Microsoft Corp.'s (MSFT) Word application. Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages. Microsoft listed the threat as "severe".
Usually Microsoft has a pretty fast turnaround, when it comes to addressing such serious threats, and it did not disappoint here. Just days after the zero-day vulnerability was discovered, Microsoft has published new details of what's going on, along with a temporary fix to remove Duqu.
According to Microsoft's TechNet Security TechCenter and a post in the Microsoft Knowledge Base the Duqu virus is exploiting a zero-day vulnerability in the Win32k TrueType font-parsing engine. The vulnerability allows arbitrary code to be executed in kernel mode (a so called "privileges escalation" exploit).
invitations
ATV
The Duqu [dyü-kyü] worm, containing parts of the Stuxnet code, is a sophisticated piece of malware that's wreaking havoc on Windows machines worldwide. The authors appear to be specially targeting business and governmental entities in what may be a cyberespionage or cybersabotage attempt.
A Fix for Duqu:
Symantec warns:
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.
The malware piggybacks inside seemingly legitimate documents from Microsoft Corp.'s (MSFT) Word application. Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages. Microsoft listed the threat as "severe".
Usually Microsoft has a pretty fast turnaround, when it comes to addressing such serious threats, and it did not disappoint here. Just days after the zero-day vulnerability was discovered, Microsoft has published new details of what's going on, along with a temporary fix to remove Duqu.
According to Microsoft's TechNet Security TechCenter and a post in the Microsoft Knowledge Base the Duqu virus is exploiting a zero-day vulnerability in the Win32k TrueType font-parsing engine. The vulnerability allows arbitrary code to be executed in kernel mode (a so called "privileges escalation" exploit).
invitations
ATV
